Invalid Packet by @_coreDump

Wednesday, November 20, 2013

As part of a research on LaunchKey iPhone application, I have discovered a vulnerability with the verification process. This flow allowed an attacker to hijack any user account and to perform actions in the victims account.

The vulnerability was responsible disclosed to LaunchKey security team and has been fixed in a record time and verified ;-) Kudos to LaunchKey Sec team!

OK so here are the technical details:

LaunchKey user setup request:
When a user launches Launchkey iPhone application, he is presented with a welcome page with two options: to setup a user or to pair a device.

Each option will process the same request to the LaunchKey servers that will cointain the username, email and device name to pair with.
-->

As you can see the LaunchKey traffic was heavily encrypted, so it was a great way to test-drive iNalyzer on iOS7.
I fired up iNalyzer and created the package for LaunchKey, ported it to my computer and started looking around for the encryption class looking for the method that was incharge for the register device encryption request.

I have found out that the communication encryption is done via the LKAPIClient class:

Looking further in the LKApiClient selectors I have found the following:

- (id) getDevicesPostParams:

(id)

params

withUserName:

(id)

userName

withEmail:

(id)

email

withDeviceName:

(id)

deviceName

withToken:

(id)

token

The only thing missing parts are params and the token.
Params turn out to be the public key that the api was sending back to the client on initialization, and the token was was generated for any individual registration process was saved in the keychain under "KeyboardWidth" parameter.

When I invoked the selector I have received the encrypted request parameters as a string.
all i needed to do was to wrap the params with the proper request syntax for the registration post request, hence,I wrapped this selector with this cycript helper function that creates the request and sends it to the server:

}
Then by simply calling setupDevice(@"someUser",@"SomeEmail@mailinator.com") I got the request encrypted, signed and sent to server, that is I have requested the server to authorize my device as a LaunchKey device for the victim account using his email and username.

Ok, so I used this function to pair my device on to my victim test account, and I got a "awaiting email confirmation" message.

Then I tried to force a usage of the new device to pull data from LaunchKey servers,
so I found out that to pull the logs from the server I need to load the LKLogsViewController:

And call the loadTheLogs selector:

- (void) loadTheLogs:

(BOOL)

logs

So I wrote another cycript wrapper function to do this small work for me:

So I've fired up the mail, contacted LaunchKey sec team, and in less than 3 days the issue was patched and fixed, Kudos to the LaunchKey sec team indeed.and I have even got a place of gratitude in their white-hat hall of fame

So, we have learned that:
1. Encryption traffic is not an issue with iNalyzer
2. Server validation and authorization checks must be made on each access request
3. There are some vendors that take security vulnerabilities and responsible disclosure with the required attention.